Enforcing access structures in fully homomorphic encryption

ABSTRACT

A homomorphic encryption system receives a ciphertext output of an arithmetic evaluation function. The arithmetic evaluation function is performed on a ciphertext input homomorphically encrypted from a plaintext input using a set-system including sets having an intersection property. The ciphertext output is decrypted using a summation of two or more noise-canceling party identifiers of two or more authorized parties, wherein the intersection property of the sets cancels out errors generated during the decrypting operation for the two or more authorized parties.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is related by subject matter to U.S. applicationSer. No. 17/164,509, filed concurrently herewith and entitled “FullyHomomorphic Encryption from Error Canceling Set-Systems,” which isspecifically incorporated by reference for all that it discloses andteaches.

SUMMARY

The described technology provides methods and systems for homomorphicencryption, including receiving a ciphertext output of an arithmeticevaluation function. The arithmetic evaluation function is performed ona ciphertext input homomorphically encrypted from a plaintext inputusing a set-system including sets having an intersection property. Theciphertext output is decrypted using a summation of two or morenoise-canceling party identifiers of two or more authorized parties,wherein the intersection property of the sets cancels out errorsgenerated during the decrypting operation for the two or more authorizedparties.

This summary is provided to introduce a selection of concepts in asimplified form that is further described below in the DetailedDescription. This summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter.

Other implementations are also described and recited herein.

BRIEF DESCRIPTIONS OF THE DRAWINGS

FIG. 1 illustrates an example fully homomorphic encryption system.

FIG. 2 illustrates an example flow through a homomorphic evaluationcircuit.

FIG. 3 illustrates example components used in a fully homomorphicencryption system.

FIG. 4 illustrates example operations for evaluating homomorphicallyencrypted ciphertext.

FIG. 5 illustrates example operations for decrypting homomorphicallyencrypted ciphertext.

FIG. 6 illustrates an example computing device for implementing thefeatures and operations of the described technology.

DETAILED DESCRIPTIONS

Homomorphic encryption allows certain computations on encrypted data(i.e., ciphertexts generated from plaintext data) to generate anencrypted result that, when decrypted, matches the result of the sameoperations performed on the plaintext data. Homomorphic encryption canbe applied to computations that are known and relatively simple (e.g., alimited number of additions and multiplications). For example, a dataowner wishes to send data to the cloud for computation but does nottrust the cloud service provider with the data. Using a homomorphicencryption scheme, the data owner can encrypt the data and send it tothe cloud service, which performs the computations on the data withoutdecrypting it and sends the encrypted results back to the data owner.The data owner can then decrypt the encrypted results to access theplaintext results. In some implementations, the encrypted results may bedecrypted by an authorized subset of collaborating parties according toan enforced access structure.

Fully Homomorphic Encryption (FHE) refers to homomorphic encryptionschemes that allow an unbounded number of addition and multiplicationoperations over the encrypted data. Generally, adding ciphertextstogether adds a small error (sometimes referred to as “noise”) to thecomputational results. In contrast, multiplying ciphertexts togethertends to introduce greater error in the computational results duringevaluation. Limiting, diminishing, or eliminating the error from theevaluation result may involve constraining the number and types ofoperations performed, bootstrapping, or some other supplementalerror-removal operations (which can significantly decrease theperformance of the evaluation), etc.

As an alternative, a set-system may be selected that includes setshaving an intersection property that cancels out the error during theevaluation, rather than by constraining the operation or performingsupplemental error-removal operations. This approach dramaticallyimproves the performance of the evaluation. Vectors may be selected froma covering vector family that represents the set-system, such that theinner product of the vectors equals a multiple of a chosen non-primeinteger when the size of the intersection of the sets represented by thetwo vectors is a multiple of the non-prime integer. The vectors may beused to homomorphically encrypt plaintext into ciphertext input for theevaluation. Errors generated during the evaluation are then canceled outbased on the intersection properties of the set-system used to encryptthe ciphertext input.

FIG. 1 illustrates an example fully homomorphic encryption system 100.Plaintext input 102, which may be encoded from raw input data, isreceived through a communications interface of an encryption operatorconfigured to perform a homomorphic encryption 104 process based on aset-system having an intersection property. In one implementation, theintersection property is characterized by two vectors of a coveringvector family of the set-system that have an inner product equal to amultiple of a chosen non-prime integer when the size of the intersectionof the sets represented by the two vectors is a multiple of thenon-prime integer. The result of the homomorphic encryption 104 isoutput via the communications interface of the encryption operator asciphertext input 106.

In one implementation, the homomorphic encryption 104 can be describedas follows. A vector v

is sampled from the covering vector family

such that the set H∈

represented by v has s^(l−1) proper supersets in

. Recall that s is superpolynomial w.r.t. h and r. An error E israndomly sampled from a cyclic generator set ℑ for module M, which isused to define the CLWE distribution. Party P_(b) (b∈{0,1}) is providedwith {E, A₀, A, x_(b)}, where x_(b)=

v, v_(b)

for some v_(b) ∈

such that H_(b)

H and H

H_(b). Pick an integer q such that m=lφ(q) and l² φ(q)=q. Party P_(b)encrypts its plaintext S_(b) ∈ ℑ and generates addition compatibleciphertext as: C_(a) ^((b))=AS_(b)+

v, v_(b)

E mod q. Party P₀ generates multiplication compatible ciphertext C_(d)⁽⁰⁾ as: C_(d) ⁽⁰⁾ A₀=AS₀+E

^(v,v) ⁰

mod q, and party P₁ generates its multiplication compatible ciphertextas: C_(d) ⁽¹⁾ A=A₀S₁+E

^(v, v) ¹

mod q. C_(d) ^((b)) can be computed via lattice trapdoors.

The ciphertext input 106 is provided to a homomorphic evaluation circuit108 having one or more multiplicative gates and/or additive gates in thehomomorphic evaluation circuit 108. Each level in the homomorphicevaluation circuit 108 has one matrix assigned to it. A is the level 0matrix. The matrices for all other levels alternate between A and A₀.Addition of any two addition compatible ciphertexts is straightforwardvia simple addition, yielding a result that depends upon the choice ofv₀ and v₁. Multiplication of two compatible ciphertexts can be performedas:

$\begin{matrix}{{C_{d}^{(1)}C_{d}^{(0)}A_{0}} = {{C_{d}^{(1)}\left( {{AS}_{0} + E^{\langle{v,v_{0}}\rangle}} \right)}{mod}q}} \\{= {{C_{d}^{(1)}{AS}_{0}} + {C_{d}^{(1)}E^{\langle{v,v_{0}}\rangle}{mod}q}}} \\{= {{A_{0}S_{1}S_{0}} + {E^{\langle{v,v_{1}}\rangle}S_{0}} + {C_{d}^{(1)}E^{\langle{v,v_{0}}\rangle}{mod}{q.}}}}\end{matrix}$

Since ℑ is cyclic the “nature” of the errors remains preservedthroughout the multiplication. If S₀=E

^(v, v) ^(z)

for some randomly sampled v_(z) ∈

, then the errors get reduced in the desired manner.

The result of the evaluation is output as homomorphically encryptedciphertext output 110, which is received through a communicationinterface of a decryption operator configured to perform a homomorphicdecryption 112 process to yield the plaintext output 114 of theevaluation. The plaintext output 114 may also be output via thecommunication interface. Accordingly, the ciphertext input 106 can beevaluated against an arithmetic function without the ciphertext input106, the ciphertext output 110, and any intermediate ciphertext beingdecrypted by the evaluating process. In some implementations, theencrypted results (the ciphertext output 110) may be decrypted by anauthorized subset of collaborating parties according to an enforcedaccess structure.

The description provided herein relies on certain notations and conceptslisted below:

: set of all integers,

: set of all rational numbers,

: set of all real numbers.

Definition 1 (Hadamard/Schur product)—The Hadamard/Schur product of twovectors u, v∈

^(n) denoted by u ∘v returns a vector in the same linear space whosei-th element is defined as: (u ∘v)[i]=u[i]·v[i], for all ∈[n].

Definition 2 (Negligible Function)—For a security parameter, ω, afunction ϵ(ω) is called negligible if, for all c>0, there exists a ω₀such that ϵ(ω)<1/ω^(c) for all a ω>ω₀.

Theorem 3 (Euler's Theorem)—Let y be a positive integer and

_(y)* denote the multiplicative group mode y. Then for every integer cthat is coprime to y, it holds that: c^(φ(y))=1 mod y, where φ(y)=

_(y)*| denotes Euler's totient function.

Definition 4 (Access Structures)—Let

={P₁, . . . , P

} be a set of parties. A collection Γ⊆2

is monotone if

∈Γ and

⊆

imply that

∈Γ. An access structure Γ⊆2

is a monotone collection of non-empty subsets of

. Sets in Γ are designated as “authorized,” and sets not in F aredesignated as “unauthorized.”

If Γ consists of all subsets of

with size greater than or equal to a fixed threshold t, where (1≤t≤

), then Γ is called a t-threshold access structure.

Definition 5 (Minimal Authorized Subset)—For an access structure Γ, afamily of minimal authorized subsets Γ₀ ∈Γ is defined as:Γ₀={

∈Γ:

for all

∈Γ\{

}}.Hence, the family of minimal access subsets Γ₀ uniquely determines theaccess structure Γ, and it holds that: Γ=cl(Γ₀), where cl denotesclosure.

Learning with errors (LWE) denotes the computational problem ofinferring a linear n-ary function ƒ over a finite ring from givensamples y_(i)=ƒ(x_(i)), some of which may be erroneous. Hence, the LWEproblem involves recovery of a secret s given a sequence of approximaterandom linear equations on it. LWE is hard to solve based on certainassumptions regarding the worst-case hardness of lattice problems, suchas GapSVP (a decision version of the Shortest Vector Problem) and SIVP(Shortest Independent Vectors Problem). In group theory, a lattice in

^(n) is a subgroup of the additive group

^(n), which is isomorphic to the additive group

^(n) and spans the real vector space

^(n). Accordingly, for any basis of

^(n), the subgroup of all linear combinations with integer coefficientsof the basis vectors forms a lattice.

Definition 6 (Decision-LWE)—For positive integers n and p≥2, and anerror (probability) distribution χ over

, the decision-LWE_(n,q,χ) problem is to distinguish between thefollowing pairs of distributions:

-   -   ((a_(i),        a_(i), s        +e_(i)))_(i) and ((a_(i), u_(i))_(i),        where i∈[poly(n)], a_(i)        _(q) ^(n), s        _(q) ^(n), e_(i)        χ, and u_(i)        _(q).

For a certain noise distribution χ and a sufficiently large q, the LWEproblem is as hard as the worst-case SIVP and GapSVP under a quantumreduction. This conclusion has been extended to show that s can besampled from a low norm distribution (in particular, from the noisedistribution χ), and the resulting problem is as hard as the basic LWEproblem. Similarly, the noise distribution χ can be a simple low-normdistribution. Therefore, a standard hybrid argument naturally leads tothe multi-secret form of LWE, which is to distinguish:

-   -   (A, B=AS+E) and (A, U),        where A        _(q) ^(m×n), S        χ^(m×n), E∈χ^(m×n) and U        U for a uniform distribution U over        _(q) ^(m×n). It can be verified that up to an m factor loss in        the distinguishing advantage, multi-secret LWE is equivalent to        plain (single-secret) decision-LWE.

A lattice trapdoor function presents a mechanism for constructingciphertext secure public-key encryption (PKE) schemes from latticeassumptions.

Definition 7—Let n≥wd be an integer and n=n−wd. For A∈

_(q) ^(w×n), we say that R∈

_(q) ^(n×wd) is a trapdoor for A with tag H∈

_(q) ^(w×w) if A [_(I) ^(R)]=H·G, where G∈

_(q) ^(w×wd) is a primitive matrix.

Given a trapdoor R for A, and an LWE instance B=AS+E mod q for some“short” error matrix E, the LWE inversion algorithm successfullyrecovers S (and E) with overwhelming probability.

Learning with Errors From Cyclic Algebras (CLWE) is provided based onthe following:

Definition 8 (Cyclic Galois extension)—A cyclic Galois extension L/K isdefined as a Galois extension such that the Galois group of L over K isthe cyclic group generated by some element θ of degree d:=[L: K].

Definition 9 (CLWE distribution)—Let L/K be a Galois extension of numberfields of degree [L: K]=d, [K:

]=n with cyclic Galois group generated by θ(·). Let

: =(L/K, θ, γ) be the resulting cyclic algebra with center K andinvariant u with u^(d)=γ∈

_(K), where

_(K) represents the ring of integers over number field K. Let Λ be anorder of

. For an error distribution ψ over ⊕_(i=1) ^(d−1) u^(i) L

, an integer modulus q≥2, and a secret s∈Λ_(q) ^(v) (Λ_(q) ^(v) denotesthe codifferent ideal, modulo q, for order Λ), a sample from the CLWEdistribution Π_(s,q,ψ) is obtained by sampling a

Λ_(q)←ψ and outputting

$\left( {a,b} \right) = {\left( {a,{\frac{a \cdot s}{q} + {e{mod}\Lambda^{\vee}}}} \right) \in {\left( {\Lambda_{q},{\oplus_{i = 1}^{d - 1}{u^{i}L_{\mathbb{R}}}}} \right)/{\Lambda^{\vee}.}}}$

Definition 10 (Decision-CLWE)—Let

be some distribution on a family of errors distributions over ⊕_(i=1)^(d−1) u^(i)L

and U_(Λ) denote the uniform distribution on (Λ_(q), (⊕_(i=1) ^(d−1)u^(i) L

)/Λ^(v)). Then, for (s, ψ)←U(Λ_(q) ^(v))×

, the decision CLWE problem is to distinguish distribution Π_(s,q,ψ)from U_(Λ).

Based on the previously-described foundation, fully homomorphicencryption via error canceling set-systems can be provided using toolsin the forms of a predefined set-system and a vector family that followsfrom it. Constructions for both of these tools are provided below.

A superpolynomial size set-system

is described first.

Definition 11—A family of sets {G₁, G₂, . . . , G_(t)} is non-degenerateif for all 1≤i≤t, there exists 1≤j≤t such that: G_(i)

G_(j).

Definition 12—Let m≥2, t≤2 be integers and

be a set-system. We shall say that

has t-wise restricted intersections modulo m if the following twoconditions hold:

-   -   1.        H∈        |H|=0 mod m,    -   2.        t′ satisfying 2≤t′≤t, and        H₁, H₂, . . . , H_(t′)∈        with {H₁, H₂, . . . , H_(t′)} non-degenerate, it holds that:

${❘{\overset{t^{\prime}}{\bigcap\limits_{\tau = 1}}H_{\tau}}❘} \neq {0{mod}{m.}}$

Proposition 13—Let l≥2 be an integer, and m=Π_(i=1) ^(r) p_(i) ^(α) ^(i)be a positive integer with r>1 different prime divisors such that

i∈{1, . . . , r}: p_(i)>l. Suppose there exists an integer t≥2 and auniform set-system

satisfying the conditions:

-   -   1.        G∈        :|G|=0 mod m,    -   2.        t′ such that 2≤t′≤t, and for all distinct G₁, G₂, . . . , G_(t′)        ∈        , it holds that:

${{❘{\overset{t^{\prime}}{\bigcap\limits_{\tau = 1}}G_{\tau}}❘} = {\mu{mod}m}},$where μ≠0 mod m and

i∈{1, . . . , r}: μi∈{0,1} mod p_(i),

-   -   3. |∩_(G∈)        |≠0 mod m.

Then there exists a set-system

, that is explicitly constructible from the set-system

such that: [label=( )]

-   -   1.        H₁, H₂ ∈        , either |H₁|=|H₂|, |H₁|=l|H₂| or l|H₁|=|H₂|,    -   2.        has t-wise restricted intersections modulo m (see Definition        12).        Proof Starting with 1 uniform (i.e., all member sets have equal        size) set systems        ₁,        ², . . .        _(l) satisfying the following properties:    -   1.        H^((i)) ∈        _(i): |H^((i))|=0 mod m,    -   t′ such that 2≤t′≤≤t, and for all distinct H₁ ^((i)), H₂ ^((i)),        . . . , H_(t′) ^((i)), ∈        _(i), it holds that:

${{❘{\overset{t^{\prime}}{\bigcap\limits_{\tau = 1}}H_{\tau}^{(i)}}❘} = {\mu{mod}m}},$

-   -   where μ≠0 mod m and        z∈{1, . . . , r}: μ∈{0,1} mod p_(z),    -   3.        i ∈{1, . . . , l}: |∩_(H) _((i)) _(∈)        _(i) H^((i))|≠0 mod m,    -   4. |H^((i))|=|H^((j))| for all H^((i)) ∈        _(i), H^((j)) ∈        _(j);    -   5.        i,j∈{1, . . . , l}: |∩_(H) _((i)) _(∈)        _(i) H^((i))|=|∩_(H) _((j)) _(∈)        _(j) H^((j))|.

The following bijection is fixed:

$\left. {{f_{i,j}:}\bigcap\limits_{H^{(i)} \in \mathcal{H}_{i}}H^{(i)}}\rightarrow{\bigcap\limits_{H^{(j)} \in \mathcal{H}_{j}}H^{(j)}} \right.,$such that ƒ_(i,i) is the identity and ƒ_(i,j) ∘ƒ_(j,k)=ƒ_(i,k) for all1≤i,j, k≤l. Using these bijections, the sets ∩_(H) _((i)) _(∈)

_(i) H^((i)) and ∩_(H) _((j)) _(∈)

_(i) H^((j)) are identified with each other. Let:

$A = {{\bigcap\limits_{H^{(1)} \in \mathcal{H}_{1}}H^{(1)}} = {{\bigcap\limits_{H^{(2)} \in \mathcal{H}_{2}}H^{(2)}} = {\ldots = {\bigcap\limits_{H^{(l)} \in \mathcal{H}_{l}}{H^{(l)}.}}}}}$

The elements of the sets in

_(i) are treated as being distinct from the elements of the sets

_(j), except for the above identification of elements in ∩_(H) _((i))_(∈)

_(i) H^((i)) with elements in ∩_(H) _((j)) _(∈)

_(j) H^((i)). Let α=|A|, and let β₁, β₂, . . . , β_((l−1)α) be elementsthat are distinct from all the elements in the sets in

₁,

₂, . . .

_(l). Define the following set:B={β ₁,β₂, . . . ,β_((l−1)α)},and consider a set system

for which the following two conditions hold:

-   -   for some i∈[l]: H^((i)) ␣        , where H^((i)) ∈        _(i),    -   (∪_(i=1) ^(l) H^((i)) ∩B)∈        , where H^((i)) ∈        _(i).

The common size of the sets in the uniform set systems

_(i) (1≤i≤l) are written as km for some k>0. Then, the following holdsfor all H^((i)) ∈

_(i),

${{❘{{\overset{l}{\bigcup\limits_{i = 1}}H^{(i)}}\bigcup B}❘} = {{{❘{\overset{l}{\underset{i = 1}{\bigcup}}H^{(i)}}❘} + {❘B❘}} = {{{\sum\limits_{i = 1}^{l}{❘H^{(i)}❘}} - {\left( {l - 1} \right){❘A❘}} + {❘B❘}} = {{{l({km})} - {\left( {l - 1} \right)a} + {\left( {l - 1} \right)a}} = {lkm}}}}},$where the second equality comes from the fact that H^((i)) ∩H^((j))=Afor all i≠j. This proves that Condition 13 holds. Moving on to theCondition 13: let t₁, t₂, . . . , t₁₊₁≥0 be such that 2≤t′(=t₁+t₂+ . . .+t_(l+1))≤t. We shall consider the intersection of the sets:

-   -   H_(τ) ^((i)) where 1≤i≤l, 1≤τ≤t_(i) and H_(τ) ^((i)) ∈        _(i),    -   ∪_(i=1) ^(l) H′_(τ) ^((i)) ∩B where 1≤τ≤t_(l+1) and H′_(τ)        ^((i)) ∈        _(i).

Assume that these sets form a non-degenerate family. Let:

${\sigma = {{❘{\overset{l}{\bigcap\limits_{i = 1}}\overset{t_{i}}{\bigcap\limits_{\tau = 1}}H_{\tau}^{(i)}\bigcap{\overset{t_{l + 1}}{\bigcap\limits_{\tau = 1}}\left( {H_{\tau}^{\prime(1)}\bigcup H_{\tau}^{\prime(2)}\bigcup\ldots\bigcup H_{\tau}^{\prime(l)}\bigcup B} \right)}}❘} = {{❘{{\overset{l}{\bigcap\limits_{i = 1}}{\overset{t_{i}}{\bigcap\limits_{\tau = 1}}H_{\tau}^{(i)}}}\bigcap{\overset{t_{l + 1}}{\bigcap\limits_{\tau = 1}}\left( {H_{\tau}^{\prime(1)}\bigcup H_{\tau}^{\prime(2)}\bigcup\ldots\bigcup H_{\tau}^{\prime(l)}} \right)}}❘} + {\epsilon{❘B❘}}}}},$where ϵ=1 if t₁=t₂= . . . =t_(l)=0, and ϵ=0 otherwise. If two or more oft₁, t₂, . . . , t_(l) are non-zero, then: σ=|A|=a≠0 mod m. On the otherhand, if exactly one of t₁, t₂, . . . , t_(l) is non-zero, then:

$\sigma = {{❘{{\overset{t_{i}}{\bigcap\limits_{\tau = 1}}H_{\tau}^{(i)}}\bigcap{\overset{t_{l + 1}}{\bigcap\limits_{\tau = 1}}H_{\tau}^{\prime(i)}}}❘} \neq {0{mod}{m.}}}$

Since H_(τ) ^((i)) (for 1≤τ≤t_(i)) and H′_(τ) ^((i) ((for) 1≤τ≤t_(l+1))are not all the same by the assumption of non-degeneracy. If t₁=t₂= . .. =t_(l)=0, then we get:

${\sigma = {{{❘{\overset{t_{l + 1}}{\bigcap\limits_{\tau = 1}}\left( {H_{\tau}^{\prime(1)}\bigcup H_{\tau}^{\prime(2)}\bigcup\ldots\bigcup H_{\tau}^{\prime(l)}} \right)}❘} + {❘B❘}} = {{{\sum\limits_{i = 1}^{l}{❘{\overset{t_{l + 1}}{\bigcap\limits_{\tau = 1}}H_{\tau}^{\prime(i)}}❘}} - {\left( {l - 1} \right){❘A❘}} + {❘B❘}} = {\sum\limits_{i = 1}^{l^{\prime}}{\mu_{i}{mod}m}}}}},$for some integer l′ such that 1≤l′≤l, and some set {μ_(i)}=_(i=1) ^(l)′such that for each μ_(i) and all primes p such that p|m, it holds that:μ_(i) ∈{0,1} mod p. Since μ_(i)≠0 mod m for all 1≤i≤l′, there must besome prime factor p of m for which at least one of the μ_(i)'s satisfyμ_(i)=1 mod p. Since p is a prime factor of m, it satisfies: p>l≥l′.Hence, for p, we get:

$\sigma = {{\sum\limits_{i = 1}^{l^{\prime}}\mu_{i}} \neq {0{mod}{p.}}}$

This proves Condition 13, and hence completes the proof.

Remark—Suppose that |

|=s and that the number of elements in the universe of

is g. Then, there are ls sets of size km and s^(l) sets of size lkm in

. Therefore, we get: |

|=s^(l)+ls. The universe of

has lg elements, and for each H∈

, exactly one of the following is true:

-   -   H is a proper subset of exactly s^(l−1) sets and not a proper        superset of any sets in        ,    -   H is a proper superset of exactly l sets and not a proper subset        of any sets in        .

In order to explicitly construct set systems which, in addition tohaving the properties in Proposition 13, have sizes superpolynomial inthe number of elements, the following is used to construct asuperpolynomial uniform set-system.

Theorem 14—Let {α_(i)}_(i=1) ^(r) be r>1 positive integers and m=Π_(i=1)^(r) p_(i) ^(α) ^(i) be a positive integer with r different primedivisors: p₁, . . . , p_(r). For every integer n≥1, there exists anexplicitly constructible polynomial P in n variables such that

-   -   1. P(0, 0, . . . , 0)=0 mod m,    -   2. P(x)·0 for all x∈{0,1}^(n) such that x≠(0, 0, . . . , 0),    -   3.        i∈[r] and        x∈{0,1}^(n) such that x≠(0, 0, . . . , 0), it holds that:        P(x)∈{0,1} mod p_(i).

The polynomial P has degree d=max(p₁ ^(e) ¹ , . . . , p_(r) ^(e) ^(r))−1 where e_(i) (

i∈[r]) is the smallest integer that satisfies p_(i) ^(e) ¹ >┌n^(1/r)┐.Define Q(x₁, x₂, . . . , x_(n))=P(1−x₁, 1−x₂, . . . , 1−x_(n)). Then:

-   -   1. Q (1, 1, . . . , 1)=0 mod m,    -   2. Q(x)≠0 mod m for all x∈{0,1}^(n) such that x≠(1, 1, . . . ,        1).    -   3.        i∈[r] and        x∈{0,1}^(n) such that x≠(1, 1, . . . , 1), it holds that:        Q(x)∈{0,1} mod p_(i).

Theorem 15—Let {α_(i)}_(i=1) ^(r) be r>1 positive integers and m=Π_(i=1)^(r) p_(i) ^(a) ^(i) be a positive integer with r different primedivisors: p₁, . . . , p_(r). For every integer n≥1, there exists auniform set system

over a universe of g elements which is explicitly constructible from thepolynomial Q of degree d such that

-   -   1.

${g < {\frac{2\left( {m - 1} \right)n^{2d}}{d!}{if}n} \geq {2d}},$

-   -   2. |        |=n^(n),    -   3.        G∈        , |G|=0 mod m,    -   4.        G, H∈        such that G≠H, it holds that: |G∩H|=μ mod m, where μ≠0 mod m and        μ∈{0,1} mod p_(i) for all i∈[r],    -   5. |∩_(G∈)        |≠0 mod m.

Note that Theorem 15 follows from the fact that the following holds inGrolmusz's construction of superpolynomial set-systems:

${❘{\bigcap\limits_{G \in \mathcal{G}}G}❘} = {{Q\left( {0,0,\ldots,0} \right)} \neq {0{mod}{m.}}}$

Theorem 16—Let {α_(i)}_(i=1) ^(r) be r>1 positive integers and m=Π_(i=1)^(r) p_(i) ^(α) ^(i) be a positive integer with r different primedivisors: p₁, . . . , p_(r). For all integers t≥2 and n≥1, there existsa uniform set system

over a universe of g elements which is explicitly constructible from thepolynomial Q of degree d such that

-   -   1.

${g < {\frac{2\left( {m - 1} \right)n^{2d}}{d!}{if}n} \geq {2d}},$

-   -   2. |        |=n^(n),    -   3.        G ∈        , |G|=0 mod m,    -   4.        t′ such that 2≤t′≤t, and for all distinct G₁, G₂, . . . ,        G_(t′)∈        , it holds that:

${{❘{\overset{t^{\prime}}{\bigcap\limits_{\tau = 1}}G_{\tau}}❘} = {\mu{mod}m}},$where μ≠0 mod m and μ∈{0,1} mod p_(i) for all i∈[r],

-   -   5. |∩_(G∈)        _(G|≠)0 mod m.

Proof: Write the polynomial Q as

${Q\left( {x_{1},x_{2},\ldots,x_{n}} \right)} = {\sum\limits_{i_{1} < i_{2} < \ldots < i_{l}}{a_{i_{1},i_{2},\ldots,i_{l}}x_{i_{1}}x_{i_{2}}\ldots x_{i_{l}}}}$

Define

${\overset{\sim}{Q}\left( {x_{1},x_{2},\ldots,x_{n}} \right)} = {\sum\limits_{i_{1} < i_{2} < \ldots < i_{l}}{{\overset{\sim}{a}}_{i_{1},i_{2},\ldots,i_{l}}x_{i_{1}}x_{i_{2}}\ldots x_{i_{l}}}}$where ã_(i) ₁ _(,i) ₂ _(, . . . ,i) _(l) is the remainder when a_(i) ₁_(,i) ₂ _(, . . . i) _(l) is divided by m.

Let [0, n−1]={0, 1, . . . , n−1}. Define the function δ: [0,n−1]^(t)→{0,1} as

${\delta\left( {u_{1},u_{2},\ldots,u_{t}} \right)} = \left\{ {\begin{matrix}1 & {{{{if}u_{1}} = {u_{2} = {\ldots = u_{t}}}},} \\0 & {otherwise}\end{matrix}.} \right.$

For y₁, y₂, . . . y_(t) ∈[0, n−1]^(n), leta ^(y) ¹ ^(,y) ² ^(, . . . ,y) ^(t) ={tilde over (Q)}(δ(y _(1,1) ,y_(2,1) , . . . ,y _(t,1)), . . . ,δ(y _(1,n) ,y _(2,n) , . . . y_(t,n)))mod m.Then

a^(y₁, y₂, …, y_(t)) = ∑b_(i₁, i₂, …, i_(l))^(y₁, y₂, …, y_(t))where

$b_{i_{1},i_{2},\ldots,i_{l}}^{y_{1},y_{2},\ldots,y_{t}} = {\prod\limits_{j = 1}^{l}{{\delta\left( {y_{1,i_{j}},y_{2,i_{j}},\ldots,y_{t,i_{j}}} \right)}.}}$Each summand b_(i) ₁ _(,i) ₂ _(, . . . ,i) _(l) ^(y) ¹ ^(,y) ²^(, . . . ,y) ^(t) corresponds to a monomial of {tilde over (Q)} andoccurs with multiplicity ã_(i) ₁ _(,i) ₂ _(, . . . ,i) _(l) in the abovesum.

It can be checked that there exists partitions

_(i) ₁ _(,i) ₂ _(, . . . ,i) _(l) of [0, n−1]^(n) such that for all y₁,y₂, . . . , y_(t) ∈[0, n−1]^(n),

$b_{i_{1},i_{2},\ldots,i_{l}}^{y_{1},y_{2},\ldots,y_{t}} = \left\{ {\begin{matrix}1 & {{{if}y_{1}},y_{2},\ldots,{y_{t}{belong}{to}{the}{same}{block}{of}\mathcal{P}_{i_{1},i_{2},\ldots,i_{l}}},} \\0 & {otherwise}\end{matrix},} \right.$and that the equivalence classes defined by the partition

_(i) ₁ _(, i) ₂ _(, . . . , i) _(l) each has size n^(n-l). We say that ablock in the partition

_(i) ₁ _(, i) ₂ _(, . . . , i) _(l) covers y∈[0, n−1]^(n) if y is anelement of the block.

A set system

is defined as follows: the sets in

correspond to y for y∈[0, n−1]^(n), and the set corresponding to y haselements given by the blocks that cover y.

The set y in the set system

has size equal to the number of blocks that cover y, which is equal toa ^(y,y, . . . ,y) ={tilde over (Q)}(1,1, . . . ,1)=0 mod m.

For any 2≤t′≤t and y₁, y₂, . . . y_(t′) ∈[0, n−1]^(n) distinct, someblock of

_(i) ₁ _(,i) ₂ _(, . . . ,i) ₁ covers all of y₁, y₂, . . . y_(t′) if andonly if b_(i) ₁ _(,i) ₂ _(, . . . ,i) _(l) ^(y) ¹ ^(,y) ² ^(, . . . ,y)^(t′) ^(, . . . , y) ^(t′) =1 (note that y_(t′) occurs in thesuperscript t-t′+1 times). Hence, the number of such blocks is equal to:a ^(y) ¹ ^(,y) ² ^(, . . . ,y) ^(t′) ^(, . . . ,y) ^(t′) ≠0 mod m.

Finally, a bound on g is the number of elements in the universe of

. This construction is equal to the number of blocks. Since thepartition

_(i) ₁ _(,i) ₂ _(, . . . ,i) _(l) it defines n^(l) equivalence classes,the number of blocks is given by

${g = {{\sum\limits_{i_{1} < i_{2} < \ldots < i_{l}}{{\overset{\sim}{a}}_{i_{1},i_{2},\ldots,i_{l}}n^{l}}} \leq {\sum\limits_{l = 0}^{d}{\begin{pmatrix}n \\l\end{pmatrix}\left( {m - 1} \right)n^{l}}} < {\left( {m - 1} \right){\sum\limits_{l = 0}^{d}\frac{n^{2l}}{l!}}} < \frac{2\left( {m - 1} \right)n^{2d}}{d!}}},$provided that n≥2d.

Theorem 17—Let {α_(i)}_(i=1) ^(r) be r>1 positive integers and m=Π_(i=1)^(r) p_(i) ^(α) ^(i) be a positive integer with r different odd primedivisors: p₁, . . . , p_(r), and l≥2 be an integer such that l<min(p₁, .. . , p_(r)). Then, for all integers t≥2 and n≥1, there exists anexplicitly constructible non-uniform set-system

, defined over a universe of h elements, such that

-   -   1.

$h < {2{l\left( {m - 1} \right)}n^{4{mn}^{\frac{1}{r}}}}$if

${n \geq \left( {4m} \right)^{1 + \frac{1}{r - 1}}},$

-   -   2. |        |=n^(ln)+ln^(n),    -   3. ∀H₁, H₂ ∈        , either |H₁|=|H₂|, |H₁|=l|H₂| or |H₁|=|H₂|,    -   4.        has t-wise restricted intersections modulo m.

Proof. By Theorem 16, there exists a uniform set-system

that satisfies conditions 1-3 of Proposition 13, and is defined over auniverse of g elements, such that |

|=n^(n). Furthermore we know that

$g < \frac{2\left( {m - 1} \right)n^{2d}}{d!}$provided the condition n≥2d is satisfied. From Theorem 14, d=max(p₁ ^(e)¹ , . . . , p_(r) ^(e) ^(r) )−1 where e_(i) is the smallest integer thatsatisfies p_(i) ^(e) ^(i) >[n^(1/r)], from which we obtain the followinginequality:d<max(p ₁ , . . . ,p _(r))┌n ^(1/r)┐<2mn ^(1/r).

Hence if

${n \geq \left( {4m} \right)^{1 + \frac{1}{r - 1}}},$then

${n^{\frac{r - 1}{r}} \geq {4{mn}} \geq {4{mn}^{1/r}} > {2d}},$and thus we have:

$g < \frac{2\left( {m - 1} \right)n^{2d}}{d!} < {2\left( {m - 1} \right)n^{2d}} < {2\left( {m - 1} \right){n^{4{mn}^{\frac{1}{r}}}.}}$

Applying Proposition 13 with the set-system

, a set-system

is obtained that satisfies Conditions 3 and 4. The size of

is:|

|=(n ^(n))^(l) +l(n ^(n))=n ^(ln)+ln^(n),and the number of elements in the universe of

is

$h = {\lg < {2{l\left( {m - 1} \right)}n^{4{mn}^{\frac{1}{r}}}}}$for

$n \geq {\left( {4m} \right)^{1 + \frac{1}{r - 1}}.}$

Corollary 18—Let {α_(i)}_(i=1) ^(r) be r>1 positive integers andm=Π_(i=1) ^(r) p_(i) ^(α) ^(i) be a positive integer with r differentodd prime divisors: p₁, . . . , p_(r), and l≥2 be an integer such thatl<min(p₁, . . . , p_(r)). Then, there exists c>0 such that for allintegers t≥2 and h≥lm, there exists an explicitly constructiblenon-uniform¹ set-system

, defined over a universe of h elements, such that

-   -   1.

${{❘\mathcal{H}❘} > {{\exp\left( {c\frac{{l\left( {\log h} \right)}^{r}}{\left( {\log\log h} \right)^{r - 1}}} \right)} + {l{\exp\left( {c\frac{\left( {\log h} \right)^{r}}{\left( {\log\log h} \right)^{r - 1}}} \right)}}}},$

-   -   2.        H∈        :|H|=0 mod m,    -   3.        H₁, H₂∈        , either |H₁|=|H₂|, |H₁|=l|H₂| or |H₁|=|H₂|,    -   4.        H₁, H₂∈        , where H₁≠H₂: if H₂ ⊂H₁ or H₁ ⊂H₂, then |H₁ ∩H₂|=0 mod m, else        |H₁ ∩H₂≠0 mod m, ¹member sets do not all have equal size    -   5.        has t-wise restricted intersections modulo m.

Proof. For small values of h, we can simply take

to be the set system

={{1,2, . . . ,m},{m,m+1, . . . ,2m−1},{1,2,3, . . . ,lm}},so it is enough to prove the statement for sufficiently large h. Choosen as large as possible subject to the restriction

${2{l\left( {m - 1} \right)}n^{4{mn}^{\frac{1}{r}}}} \leq {h.}$It is assumed that h is sufficiently large so that the condition

$n \geq \left( {4m} \right)^{1 + \frac{1}{r - 1}}$is satisfied. For N=n+1, it holds that:

${h < {2{l\left( {m - 1} \right)}N^{4{mN}^{\frac{1}{r}}}N} > e^{{rW}_{0}({\frac{1}{4{rm}}\log\frac{h}{2{l({m - 1})}}})}},$where W₀ is the principal branch of the Lambert W function. Fix any c₁such that

$0 < c_{1} < {\frac{1}{4{rm}}.}$Then for h sufficiently large, n>e^(rW) ⁰ ^((c) ¹ ^(log) ^(h) ⁾ and:W ₀(x)=log x−log log x+o(1),hence, it follows that there exists some c₂ such that for allsufficiently large h, it holds that:

${n > {\exp\left( {{r\log\log h} - {r\log\log\log h} + c_{2}} \right)}} = {\frac{{e^{c_{2}}\left( {\log h} \right)}^{r}}{\left( {\log\log h} \right)^{r}}.}$This shows that there exists c₃>0 such that for sufficiently large h, weget:

$\begin{matrix}{n^{n} > {{\exp\left( \frac{{c_{3}\left( {\log h} \right)}^{r}}{\left( {\log\log h} \right)^{r - 1}} \right)}.}} & (1)\end{matrix}$Since the size of

is |

|=n^(ln)+ln^(n), it follows from Equation 1 that:

${❘\mathcal{H}❘} > {{\exp\left( {c\frac{{l\left( {\log h} \right)}^{r}}{\left( {\log\log h} \right)^{r - 1}}} \right)} + {l{\exp\left( {c\frac{\left( {\log h} \right)^{r}}{\left( {\log\log h} \right)^{r - 1}}} \right)}}}$

From the set system

, a covering vector family

follows.

Definition 19 (Covering Vectors)—Let m, h>0 be positive integers, S⊆

_(m)\{0}, and w(·) and

·,·

denote Hamming weight and inner product, respectively. We say that asubset

={v_(i)}_(i=1) ^(N) of vectors in (

_(m))^(h) forms an S-covering family of vectors if the following twoconditions are satisfied:

-   -   i∈[N], it holds that:        v_(i), v_(i)        =0 mod m,    -   i,j ∈[N], where i≠j, it holds that:

${\left\langle {v_{i},v_{j}} \right\rangle{mod}m} = \left\{ {\begin{matrix}0 & {{{if}{w\left( {{v_{i} \circ v_{j}}{mod}m} \right)}} = {0{mod}m}} \\{\in S} & {otherwise}\end{matrix},} \right.$where ∘ denotes Hadamard/Schur product (see Definition 1).

Recall that h, m, l are positive integers such that 2≤l<min(p₁, . . . ,p_(r)) and m=Π_(i=1) ^(r) p_(i) ^(α) ^(i) has r>1 different primedivisors: p₁, . . . , p_(r) Further, it follows that the sizes of thepairwise intersections of the sets in

occupy at most m−1 residue classes modulo m. If each set H_(i) ∈

is represented by a representative vector v_(i) ∈(

_(m))^(h), then for the resulting subset

of vectors in (

_(m))^(h), the following result follows from Corollary 18.

Corollary 20—For the set-system

defined in Corollary 18, if each set H_(i) ∈

is represented by a unique vector v_(i) ∈(

_(m))^(h), then for a set S of size m−1, the set of vectorsV={v_(i)}_(i=1) ^(N), formed by the representative vectors of all setsin

, n S-covering family such that

$N > {{\exp\left( {c\frac{{l\left( {\log h} \right)}^{r}}{\left( {\log\log h} \right)^{r - 1}}} \right)} + {l{\exp\left( {c\frac{\left( {\log h} \right)^{r}}{\left( {\log\log h} \right)^{r - 1}}} \right)}}}$and

i, j [N] it holds that

v_(i), v_(j)

=|H_(i)∩H_(j)| mod m.

Vector families and special inner products can be used to work with setsfrom different set-systems. The following two properties hold for allsets in any set-system H that is defined by Corollary 18.

-   -   H is a proper subset of exactly s^(l−1) sets and not a proper        superset of any sets in        ,    -   H is a proper superset of exactly l sets and not a proper subset        of any sets in        ,    -   where

$s \geq {{\exp\left( {c\frac{\left( {\log h} \right)^{r}}{\left( {\log\log h} \right)^{r - 1}}} \right)}.}$

Let V⊆(

_(m))^(h) be a family of covering vectors, consisting of representativevectors for the sets in a set-system

(defined modulo m). For all i ∈|

|(=|V|), let v_(i) ∈V denote the representative vector for the set H_(i)∈

. Recall from Corollary 20 that the following holds:

v _(i) ,v _(j)

=|H _(i) ∩H _(j)| mod m.

A k-multilinear form on V^(k) is defined as:

$\left\langle {v_{1},v_{2},\ldots,v_{k}} \right\rangle_{k} = {\sum\limits_{i = 1}^{h}{{v_{1}\lbrack i\rbrack}{v_{2}\lbrack i\rbrack}\ldots{v_{k}\lbrack i\rbrack}}}$

A representative vector v∈

is defined for a fixed set H∈

. For the rest of the sets H_(i) ∈

, their respective representative vectors are denoted by v_(i) ∈

. Let v, v₁, v₂ ∈

, and v_(i∩j) ∈

denote the representative vector for the set H_(i∩j)=H_(i) ∩H_(j). Then,the following holds:

$\begin{matrix}\begin{matrix}{\left\langle {v,v_{1\bigcup 2}} \right\rangle = {{❘{H\bigcap\left( {H_{1}\bigcup H_{2}} \right)}❘} = {❘{\left( {H\bigcap H_{1}} \right)\bigcup\left( {H\bigcap H_{2}} \right)}❘}}} \\{= {{❘{H\bigcap H_{1}}❘} + {❘{H\bigcap H_{2}}❘} - {❘{H\bigcap H_{1}\bigcap H_{2}}❘}}} \\{= {\left\langle {v,v_{1}} \right\rangle + \left\langle {v,v_{2}} \right\rangle - {\left\langle {v,v_{1},v_{2}} \right\rangle_{3}.}}}\end{matrix} & (2)\end{matrix}$

Define F as:F(x,y,z)=x+y−z,i.e., the following holds:F(

v,v ₁

,

v,v ₂

,

v,v ₁ ,v ₂

₃)=

v,v _(1∪2)

Note that the following also holds:

$\begin{matrix}{{❘{H\bigcap\left( {H_{1}\bigcap H_{2}} \right)}❘} = {\left\langle {v,v_{1}} \right\rangle + \left\langle {v,v_{2}} \right\rangle - \left\langle {v,v_{1\bigcup 2}} \right\rangle}} \\{= {{❘{H\bigcap H_{1}}❘} + {❘{H\bigcap H_{2}}❘} - {{❘{H\bigcap\left( {H_{1}\bigcup H_{2}} \right)}❘}.}}}\end{matrix}$

Consider the following simple extension of Equation 2:

$\begin{matrix}{\left\langle {v,v_{1},v_{2\bigcup 3}} \right\rangle_{3} = {❘{H\bigcap H_{1}\bigcap\left( {H_{2}\bigcap H_{3}} \right)}❘}} \\{= {❘{\left( {H\bigcap H_{1}\bigcap H_{2}} \right)\bigcup\left( {H\bigcap H_{1}\bigcap H_{3}} \right)}❘}} \\{= {{❘{H\bigcap H_{1}\bigcap H_{2}}❘} + {❘{H\bigcap H_{1}\bigcap H_{3}}❘} - {❘{H\bigcap H_{1}\bigcap H_{2}\bigcap H_{3}}❘}}} \\{= {\left\langle {v,v_{1},v_{2}} \right\rangle_{3} + \left\langle {v,v_{1},v_{3}} \right\rangle_{3} - {\left\langle {v,v_{1},v_{2},v_{3}} \right\rangle_{4}.}}}\end{matrix}$

The extension yields:F(

v,v ₁ ,v ₂

₃ ,

v,v ₁ ,v ₃

₃ ,

v,v ₁ ,v ₂ ,v ₃

₄)=

v,v ₁ ,v _(2∪3)

₃.

Note that the following also holds:

$\begin{matrix}{{❘{H\bigcap\left( {H_{1}\bigcap H_{2}\bigcap H_{3}} \right)}❘} = {\left\langle {v,v_{1},v_{2}} \right\rangle_{3} + \left\langle {v,v_{1},v_{3}} \right\rangle_{3} - \left\langle {v,v_{1},v_{1\bigcup 2}} \right\rangle_{4}}} \\{= {{❘{H\bigcap H_{1}\bigcap H_{2}}❘} + {❘{H\bigcap H_{1}\bigcap H_{3}}❘} -}} \\{{❘{H\bigcap H_{1}\bigcap\left( {H_{2}\bigcup H_{3}} \right)}❘}.}\end{matrix}$

It follows by extension that

v, v_(1∪2∪ . . . ∪w)

_(w), can be computed from the k-multilinear forms

v₁, v₂, . . . , v_(k)

_(k), for all k∈[w+1] and all v_(i) ∈

. Hence,

v _(i) ,v _(j)

=|H _(i) ∩H _(j)| mod mallows computation of the intersection of any sets H_(i), H_(j) ∈

, such that two vectors v_(i), v_(j) of a covering vector family

of the set-system

represent two sets H_(i), H_(j) of the set-system

and have an inner product

v_(i), v_(j)

equal to a multiple of a non-prime integer m when the size of theintersection (|H_(i) ∩H_(j)|) of the sets H_(i), H_(j) represented bythe two vectors v_(i), v_(j) is a multiple of the non-prime integer m.Further, being able to compute the aforementioned function F(x, y, z)allows computation of unions and intersections of any arbitrary numberof sets from

.

An example fully homomorphic encryption system is supported by theforegoing description and drawings, and by the following. The examplefully homomorphic encryption system supports both addition operationsand multiplication operations of operation-compatible ciphertext. Eachciphertext is designated as “addition compatible” or “multiplicationcompatible,” designations that are mutually incompatible. Hence, anaggregator (the operation and/or entity responsible for homomorphicevaluation of the arithmetic circuit) performs a “gate conversion”between addition compatible ciphertext and multiplication compatibleciphertext. It is assumed that all parties are honest. In oneimplementation, all matrices are square.

Based on the foregoing, for H∈

, if an addition or multiplication gate receives sets H_(a) and H_(b)(1≤a, b≤|

|) as inputs, then the output is zero if:

-   -   H_(a)=H_(b), or    -   H_(a) is a proper subset of H_(b) or vice-versa.        Accordingly, if these sets are carefully placed within the        various terms, then the sets can be used to remove the error        terms to which they are attached. Therefore, the set-systems        cancel each other and therefore result in the errors also being        canceled after a fixed depth in the evaluation circuit.

A trust vector v

is sampled from the covering vector family

(a family of representative trust vectors) such that the set H∈

represented by v has s^(l−1) proper supersets in

. Recall that s is superpolynomial w.r.t. h and r. An error E israndomly sampled from a cyclic generator set ℑ for module M, which isused to define the CLWE distribution. Party P_(b) (b∈{0,1}) is providedwith {E, A₀, A, x_(b)}, where x_(b)=

v, v_(b)

for some v_(b) ∈

such that H_(b)

H and H

_(H). The matrices “A₀, A” are referred to as “level-specific matrices”,the vetors v and v_(b) are trust vectors, and the term “x” is referredto as an “error canceling variable” or an “error canceling partyidentifier.” An integer q is selected such that m=lφ(q) and l² φ(q)=q.

Party P_(b) encrypts its plaintext S_(b) ∈ℑ and generates additioncompatible ciphertext as: C_(a) ^((b))=AS_(b)+

v, v_(b)

E mod q. Party P₀ generates multiplication compatible ciphertext C_(d)⁽⁰⁾ as: C_(d) ⁽⁰⁾ A₀=AS₀+E

^(v,v) ⁰ z,226 mod q, and party P₁ generates its multiplicationcompatible ciphertext as: C_(d) ⁽¹⁾ A=A₀S₁+E

^(v,v) ¹

mod q. C_(d) ^((b)) can be computed via lattice trapdoors. Vectors maybe selected from a covering vector family of the set-system, such thatthe inner product of the vectors equals a multiple of a non-primeinteger when the size of the intersection of the sets represented by thetwo vectors is a multiple of the non-prime integer.

Each level in the circuit has one matrix assigned to it. A is the level0 matrix. The matrices for all other levels alternate between A and A₀.Addition of any two addition compatible ciphertexts is straightforwardvia simple addition, yielding a result that depends upon the choice ofv₀ and v₁. Multiplication of two compatible ciphertexts can be performedas:

$\begin{matrix}{{C_{d}^{(1)}C_{d}^{(0)}A_{0}} = {{C_{d}^{(1)}\left( {{AS}_{0} + E^{\langle{v,v_{0}}\rangle}} \right)}{mod}q}} \\{= {{C_{d}^{(1)}{AS}_{0}} + {C_{d}^{(1)}E^{\langle{v,v_{0}}\rangle}{mod}q}}} \\{= {{A_{0}S_{1}S_{0}} + {E^{\langle{v,v_{1}}\rangle}S_{0}} + {C_{d}^{(1)}E^{\langle{v,v_{0}}\rangle}{mod}{q.}}}}\end{matrix}$

Since ℑ is cyclic, the “nature” of the errors remains preservedthroughout the multiplication. If S₀=E

^(v,v) ^(z)

for some randomly sampled v_(z) ℑ

, then the errors get reduced in the desired manner.

Each multiplication and addition operation can occur only betweencompatible ciphertexts. Since the matrices A₀ and A are different,ciphertexts at each level of the circuit are multiplication compatible.Hence, after level 0, the aggregator must perform “gate conversions”,i.e., transforming multiplication compatible ciphertext to additioncompatible ciphertext. This can be easily carried out by performingcomponent wise product of the multiplication compatible ciphertext withÂ, where ÂA₀=A mod q. Converting addition compatible ciphertext tomultiplication compatible cyphertext can be accomplished by computingthe component-wise product of the appropriate short matrix.

The set-system

can also provide support for general access structures in which partiesdo not rely on shared keys to carry out fully homomorphic encryptioncomputations of ciphertext. Instead, general access structures allow fordistributing shares of a secret such that any authorized subset ofsecret holders, as specified by the general access structure, canrecompute the secret and therefore decrypt corresponding ciphertext.Such general access structures are monotone (e.g., if a subset ofparties A belongs to the general access structure and if A is a subsetof another set of parties B, then B also belongs to the general accessstructure, and hence is also authorized to recompute the secret).

It follows directly from the description of the vector families andspecial inner products provided herein that in a setting with more thantwo parties, x_(b) can be generated such that it holds for anyauthorized subset of parties

that the set represented by Σ_(i∈)

v_(i) in Σ_(i∈)

x_(i)=

v, v_(i)

, is always a superset of H∈

that is represented by v∈

, Similarly, x_(b) can be generated such that it holds for allunauthorized subsets

represented by Σ_(i∈)

v_(i) is never a superset (or subset) of v. In such a setting, errorsget canceled if some authorized subset of parties collaborates, anderrors do not get canceled if an unauthorized subset of partiescollaborates. Accordingly, parties belonging to certain authorizedsubsets can successfully decrypt the ciphertext output of the evaluationcircuit, and parties not belonging to these subsets cannot.

FIG. 2 illustrates an example flow 200 through a homomorphic evaluationcircuit. As previously discussed, each multiplication and additionoperation can occur only between compatible ciphertexts. Since thematrices A₀ and A are different, ciphertexts at each level of thecircuit are multiplication compatible. Hence, after level 0, theaggregator must perform “gate conversions”, i.e., transformingmultiplication compatible ciphertext to addition compatible ciphertext.This can be easily carried out by performing component wise product ofthe multiplication compatible ciphertext with Â, where ÂA₀=A mod q.

A multiplication compatible ciphertext 202 is received (e.g., as inputto a homomorphic evaluation circuit or as an intermediate ciphertextresult in the homomorphic evaluation circuit). The multiplicationcompatible ciphertext 202 is input to a multiplication gate 204 of theevaluation circuit, which outputs multiplication compatible ciphertext206. Because the next arithmetic operation of the evaluation circuit isan addition gate 212, a gate conversion 208 transforms themultiplication compatible ciphertext 206 to addition compatibleciphertext 210, which is then inputted to the addition gate 212 forcomputation. Output of the addition gate 212 is passed to a subsequentlevel of the evaluation circuit or out of the evaluation circuit as aciphertext result of the evaluation.

FIG. 3 illustrates example components used in a fully homomorphicencryption system 300. An encryption operator 302 receives plaintextinput (not shown). A homomorphic encryptor 304 encrypts the plaintextinput to yield a homomorphically encrypted ciphertext input, which iscommunicated to a homomorphic evaluation circuit 306 via a communicationinterface 308. For its encryption operation, the homomorphic encryptor304 employs vectors selected from a covering vector family of aset-system having an intersection property for which the inner productof the vectors equals a multiple of a non-prime integer when the size ofthe intersection of the sets represented by the two vectors is amultiple of the non-prime integer.

The homomorphic evaluation circuit 306 receives the homomorphicallyencrypted ciphertext input via a communication interface 310. Ahomomorphic evaluator 312 evaluates the homomorphically encryptedciphertext input against an arithmetic operation via addition and/ormultiplication gates. The evaluation result is generated ashomomorphically encrypted ciphertext output, which is communicated tothe decryption operator 314 via the communication interface 310. Thedecryption operator 314 receives the homomorphically encryptedciphertext output via a communication interface 316. A homomorphicdescriptor 318 decrypts the homomorphically encrypted ciphertext outputto yield plaintext output (not shown).

FIG. 4 illustrates example operations 400 for evaluating homomorphicallyencrypted ciphertext. An input operation 402 receives ciphertext inputthat has been homomorphically encrypted from a plaintext input using aset-system including sets having an intersection property. An evaluationoperation 404 evaluates an arithmetic function on the ciphertext inputto generate a ciphertext output. The arithmetic function includes one ormore additive gates and one or more multiplicative gates. The evaluationoperation 404 also generates errors during the evaluation of thearithmetic function, but the intersection property of the set-systemcancels out the errors during the evaluation operation 404. An outputoperation 406 transmits the ciphertext output for homomorphic decryptionto generate a plaintext result.

The set-system may be selected that includes sets having an intersectionproperty that cancels out the error during the evaluation, rather thanby constraining the operation or performing supplemental error-removaloperations. Vectors may be selected from a covering vector family of theset-system, such that the inner product of the vectors equals a multipleof a non-prime integer when the size of the intersection of the setsrepresented by the two vectors is a multiple of the non-prime integer(an example intersection property). The vectors may be used tohomomorphic encrypt plaintext into ciphertext input for the evaluation.Errors generated during the evaluation are then canceled out based onthe intersection properties of the set-system used to encrypt theciphertext input. Also, based on the foregoing, given a level-specificmatrix (A₀ or A) and its trapdoor, a ciphertext result (output) can beinverted to retrieve a plaintext result (output).

FIG. 5 illustrates example operations 500 for decrypting homomorphicallyencrypted ciphertext. It should be understood that encryptinghomomorphically encrypted ciphertext may also be accomplished using thetechnology described herein.

A receiving operation 502 receives a ciphertext output of an arithmeticevaluation function. The arithmetic evaluation function has beenperformed on a ciphertext input homomorphically encrypted from aplaintext input using a set-system including sets having an intersectionproperty. A decrypting operation 504 decrypts the ciphertext outputusing a summation of two or more noise-canceling party identifiers oftwo or more authorized parties. The intersection property of the setscancels out the errors for the two or more authorized parties during thedecryption operation. A decryption attempt operation 506 attempts todecrypt the ciphertext output using a summation of one or morenoise-canceling party identifiers of one or more unauthorized parties.However, as the intersection property of the sets fails to cancel outthe errors for the one or more unauthorized parties during the attempteddecryption, the attempted decryption operation fails for the one or moreunauthorized parties.

FIG. 6 illustrates an example computing device 600 for implementing thefeatures and operations of the described technology. The computingdevice 600 may embody a remote control device or a physical controlleddevice and is an example network-connected and/or network-capable deviceand may be a client device, such as a laptop, mobile device, desktop,tablet; a server/cloud device; an internet-of-things device; anelectronic accessory; or another electronic device. The computing device600 includes one or more hardware processor(s) 602 and a memory 604. Thememory 604 generally includes both volatile memory (e.g., RAM) andnonvolatile memory (e.g., flash memory). An operating system 610 residesin the memory 604 and is executed by the hardware processor(s) 602.

In an example computing device 600, as shown in FIG. 6, one or moremodules or segments, such as applications 650, a homomorphic evaluator,a homomorphic encryptor, a homomorphic decryptor, a communicationinterface, and other services, workloads, and modules, are loaded intothe operating system 610 on the memory 604 and/or storage 620 andexecuted by hardware processor(s) 602. The storage 620 may include oneor more tangible storage media devices and may store cryptographicsecurity parameters, plain text, ciphertext, device parameters, andother data and may be local to the computing device 600 or may be remoteand communicatively connected to the computing device 600.

The computing device 600 includes a power supply 616, which is poweredby one or more batteries or other power sources and which provides powerto other components of the computing device 600. The power supply 616may also be connected to an external power source that overrides orrecharges the built-in batteries or other power sources.

The computing device 600 may include one or more communicationtransceivers 630 that may be connected to one or more antenna(s) 632 toprovide network connectivity (e.g., mobile phone network, Wi-Fi®,Bluetooth®) to one or more other servers and/or client devices (e.g.,mobile devices, desktop computers, or laptop computers). The computingdevice 600 may further include a network adapter 636, which is a type ofcomputing device. The computing device 600 may use the adapter and anyother types of computing devices for establishing connections over awide-area network (WAN) or local-area network (LAN). It should beappreciated that the network connections shown are exemplary and thatother computing devices and means for establishing a communications linkbetween the computing device 600 and other devices may be used.

The computing device 600 may include one or more input devices 634 suchthat a user may enter commands and information (e.g., a keyboard ormouse). These and other input devices may be coupled to the server byone or more interfaces 638, such as a serial port interface, parallelport, or universal serial bus (USB). The computing device 600 mayfurther include a display 622, such as a touch screen display.

The computing device 600 may include a variety of tangibleprocessor-readable storage media and intangible processor-readablecommunication signals. Tangible processor-readable storage can beembodied by any available media that can be accessed by the computingdevice 600 and includes both volatile and nonvolatile storage media,removable and non-removable storage media. Tangible processor-readablestorage media excludes communications signals (e.g., signals per se) andincludes volatile and nonvolatile, removable and non-removable storagemedia implemented in any method or technology for storage of informationsuch as processor-readable instructions, data structures, programmodules or other data. Tangible processor-readable storage mediaincludes, but is not limited to, RAM, ROM, EEPROM, flash memory or othermemory technology, CDROM, digital versatile disks (DVD) or other opticaldisk storage, magnetic cassettes, magnetic tape, magnetic disk storageor other magnetic storage devices, or any other tangible medium whichcan be used to store the desired information and which can be accessedby the computing device 600. In contrast to tangible processor-readablestorage media, intangible processor-readable communication signals mayembody processor-readable instructions, data structures, program modulesor other data resident in a modulated data signal, such as a carrierwave or other signal transport mechanism. The term “modulated datasignal” means a signal that has one or more of its characteristics setor changed in such a manner as to encode information in the signal. Byway of example, and not limitation, intangible communication signalsinclude signals traveling through wired media such as a wired network ordirect-wired connection, and wireless media such as acoustic, RF,infrared, and other wireless media.

Various software components described herein are executable by one ormore hardware processors, which may include logic machines configured toexecute hardware or firmware instructions. For example, the processorsmay be configured to execute instructions that are part of one or moreapplications, services, programs, routines, libraries, objects,components, data structures, or other logical constructs. Suchinstructions may be implemented to perform a task, implement a datatype, transform the state of one or more components, achieve a technicaleffect, or otherwise arrive at a desired result.

Aspects of processors and storage may be integrated together into one ormore hardware logic components. Such hardware-logic components mayinclude field-programmable gate arrays (FPGAs), program- andapplication-specific integrated circuits (PASIC/ASICs), program- andapplication-specific standard products (PSSP/ASSPs), system-on-a-chip(SOC), and complex programmable logic devices (CPLDs), for example.

The terms “module,” “program,” and “engine” may be used to describe anaspect of a remote control device and/or a physical controlled device802 implemented to perform a particular function. It will be understoodthat different modules, programs, and/or engines may be instantiatedfrom the same application, service, code block, object, library,routine, API, function, etc. Likewise, the same module, program, and/orengine may be instantiated by different applications, services, codeblocks, objects, routines, APIs, functions, etc. The terms “module,”“program,” and “engine” may encompass individual or groups of executablefiles, data files, libraries, drivers, scripts, database records, etc.

It will be appreciated that a “service,” as used herein, is anapplication program executable across multiple user sessions. A servicemay be available to one or more system components, programs, and/orother services. In some implementations, a service may run on one ormore server computing devices.

While this specification contains many specific implementation details,these should not be construed as limitations on the scope of anyinventions or of what may be claimed, but rather as descriptions offeatures specific to particular embodiments of particular describedtechnology. Certain features that are described in this specification inthe context of separate embodiments can also be implemented incombination in a single embodiment. Conversely, various features thatare described in the context of a single embodiment can also beimplemented in multiple embodiments separately or in any suitablesubcombination. Moreover, although features may be described above asacting in certain combinations and even initially claimed as such, oneor more features from a claimed combination can in some cases be excisedfrom the combination, and the claimed combination may be directed to asubcombination or variation of a subcombination.

Similarly, while operations are depicted in the drawings in a particularorder, this should not be understood as requiring that such operationsbe performed in the particular order shown or in sequential order, orthat all illustrated operations be performed, to achieve desirableresults. In certain circumstances, multitasking and parallel processingmay be advantageous. Moreover, the separation of various systemcomponents in the embodiments described above should not be understoodas requiring such separation in all embodiments, and it should beunderstood that the described program components and systems cangenerally be integrated together in a single software product orpackaged into multiple software products.

Thus, particular embodiments of the subject matter have been described.Other embodiments are within the scope of the following claims. In somecases, the actions recited in the claims can be performed in a differentorder and still achieve desirable results. In addition, the processesdepicted in the accompanying figures do not necessarily require theparticular order shown, or sequential order, to achieve desirableresults. In certain implementations, multitasking and parallelprocessing may be advantageous.

A number of implementations of the described technology have beendescribed. Nevertheless, it will be understood that variousmodifications can be made without departing from the spirit and scope ofthe recited claims.

What is claimed is:
 1. A computing-processor-implemented methodcomprising: receiving a ciphertext output of an arithmetic evaluationfunction, the arithmetic evaluation function being performed on aciphertext input homomorphically encrypted from a plaintext input usinga set-system including sets having an intersection property; anddecrypting the ciphertext output using a summation of two or morenoise-canceling party identifiers of two or more authorized parties,wherein the intersection property of the sets cancels out errorsgenerated during the decrypting operation for the two or more authorizedparties and an attempting to decrypt the ciphertext output using asummation of one or more noise-canceling party identifiers of one ormore unauthorized parties, wherein the intersection property of the setsfails to cancel out errors generated during the attempted decryption andthe attempted decryption operation fails for the one or moreunauthorized parties.
 2. The computing-processor-implemented method ofclaim 1, wherein two vectors of a covering vector family of theset-system represent two sets of the set-system and have an innerproduct equal to a multiple of a non-prime integer when the size of theintersection of the sets represented by the two vectors is a multiple ofthe non-prime integer.
 3. The computing-processor-implemented method ofclaim 1, wherein the ciphertext output is generated to be decryptedusing the set-system including the sets having the intersectionproperty.
 4. The computing-processor-implemented method of claim 1,wherein each of the two or more noise-canceling party identifiersrepresents a summation of inner products of trust vectors correspondingto each of the two or more authorized parties.
 5. Thecomputing-processor-implemented method of claim 1, wherein thedecrypting operation generates a plaintext result of the arithmeticevaluation function performed on the ciphertext input.
 6. Thecomputing-processor-implemented method of claim 1, wherein a setrepresented by a first summation of trust vectors of the two or moreauthorized parties is always a superset or subset of a set in theset-system and second summation of trust vectors of one or moreunauthorized parties is never a superset or a subset of a set in theset-system.
 7. A system comprising: one or more hardware processors; acommunication interface coupled to the one or more hardware processorsand configured to receive a ciphertext output of an arithmeticevaluation function, the arithmetic evaluation function being performedon a ciphertext input homomorphically encrypted from a plaintext inputusing a set-system including sets having an intersection property; and adecryptor executable by the one or more hardware processors andconfigured to decrypt the ciphertext output using a summation of two ormore noise-canceling party identifiers of two or more authorizedparties, wherein the intersection property of the sets cancels outerrors generated during the decryption for the two or more authorizedparties and an attempt to decrypt the ciphertext output using asummation of one or more noise-canceling party identifiers of one ormore unauthorized parties, wherein the intersection property of the setsfails to cancel out the errors generated during the attempted decryptionand the attempted decryption fails for the one or more unauthorizedparties.
 8. The system of claim 7, wherein two vectors of a coveringvector family of the set-system represent two sets of the set-system andhave an inner product equal to a multiple of a non-prime integer whenthe size of the intersection of the sets represented by the two vectorsis a multiple of the non-prime integer.
 9. The system of claim 7,wherein the ciphertext output is generated to be decrypted using theset-system including the sets having the intersection property.
 10. Thesystem of claim 7, wherein each of the two or more noise-canceling partyidentifiers represents a summation of inner products of trust vectorscorresponding to each of the two or more authorized parties.
 11. Thesystem of claim 7, wherein the decryptor is further configured togenerate a plaintext result of the arithmetic evaluation functionperformed on the ciphertext input.
 12. The system of claim 7, wherein aset represented by a first summation of trust vectors of the two or moreauthorized parties is always a superset or subset of a set in theset-system and second summation of trust vectors of one or moreunauthorized parties is never a superset or a subset of a set in theset-system.
 13. One or more tangible processor-readable storage mediaembodied with instructions for executing on one or more processors andcircuits of a computing device a process comprising: receiving aciphertext output of an arithmetic evaluation function, the arithmeticevaluation function being performed on a ciphertext inputhomomorphically encrypted from a plaintext input using a set-systemincluding sets having an intersection property; and decrypting theciphertext output using a summation of two or more noise-canceling partyidentifiers of two or more authorized parties, wherein the intersectionproperty of the sets cancels out errors generated during the decryptingoperation for the two or more authorized parties and an attempt todecrypt the ciphertext output using a summation of one or morenoise-canceling Party identifiers of one or more unauthorized parties,wherein the intersection Property of the sets fails to cancel out errorsgenerated during the attempted decryption and the attempted decryptionoperation fails for the one or more unauthorized parties.
 14. The one ormore tangible processor-readable storage media of claim 13, wherein twovectors of a covering vector family of the set-system represent two setsof the set-system and have an inner product equal to a multiple of anon-prime integer when the size of the intersection of the setsrepresented by the two vectors is a multiple of the non-prime integer.15. The one or more tangible processor-readable storage media of claim13, wherein the ciphertext output is generated to be decrypted using theset-system including the sets having the intersection property.
 16. Theone or more tangible processor-readable storage media of claim 13,wherein each of the two or more noise-canceling party identifiersrepresents a summation of inner products of trust vectors correspondingto each of the two or more authorized parties.
 17. The one or moretangible processor-readable storage media of claim 13, wherein a setrepresented by a first summation of trust vectors of the two or moreauthorized parties is always a superset or subset of a set in theset-system and second summation of trust vectors of one or moreunauthorized parties is never a superset or a subset of a set in theset-system.